GitGuardian Platform Reviews

We use the GitGuardian Platform for internal security monitoring. Initially, we employed it to identify any secrets from our internal repositories that might have been accidentally exposed publicly and then expanded our use of GitGuardian to remove secrets from our private repositories, also.

Our company has grown through acquisitions. To address this complexity, we've integrated GitGuardian with our development teams. This allows them to identify secrets within any repository so they can be quickly remediated, ultimately enhancing the security of our codebase.

GitGuardian helps us prioritize remediation quickly. The alerting component is helpful because it lets people know immediately when something suspicious appears. Additionally, the code context feature is valuable as it shows developers exactly where the issue occurs in their code. They can even click a link to jump directly to that location in GitHub. These features significantly speed up the process for developers to identify and remove vulnerabilities.

GitGuardian effectively supports a shift-left security strategy. This is because it integrates directly with the code repository, allowing for near real-time feedback on potential security issues before code is merged into production branches. This early detection is highly valuable. Furthermore, GitGuardian's command-line interface provides another layer of convenience. Developers can proactively search for and address security concerns before pushing their code.

GitGuardian improves collaboration between our developers and security teams on remediation efforts. The centralized dashboard is tremendously helpful for managing across a multitude of teams and hundreds of engineers. It allows me to see the progress of each team. This visibility makes it much easier to communicate with them. For instance, I can identify teams that might need assistance or recognize those that are successfully reducing vulnerabilities.

GitGuardian has dramatically improved our ability to detect secrets by shedding light on previously hidden vulnerabilities.

Our security productivity has increased significantly. Simply by making this information readily available to developers, we've empowered them to take action. Previously, this wasn't easy, especially when dealing with inherited legacy code. Developers often wouldn't know where these secrets were hidden within the codebase. This improved visibility has made security issues much more actionable for our developers.

With over 6,000 repositories, GitGuardian's automation capabilities have saved us many months of research.

GitGuardian has reduced our mean time to remediation. This ability to track security issues and communicate proactively with teams undoubtedly means we can also remediate them faster.

In general, we use Gitguardian as a safety net. We have our internal tools for validating that there is no sensitive data in there. GitGuardian is a more general and robust solution to double-check our work and make sure that if we are committing something, it only contains development IDs and not anything that is production-centric or customer-centric.

The main way in which we're using it at the moment is that it is connected through the GitHub integration. It is deployed through our code review process. When pull requests are created they connect with GitGuardian, which runs the scan before there is a review by one of our senior devs. That means we can see if there are any potential risk items before the code goes into the main branch.

It automates tasks and allows more individuals at the company to handle remediation. It provides visibility for the pull requests. It is integrated into our code review and deployment processes, and that integration allows the author to address an issue almost immediately, rather than waiting for a time-consuming review, and then manually asking the author to address it. It provides a nice safety mechanism, giving us some assurance that if something got forgotten along the way, we are notified before we make it a part of our codebase. It is much harder to remove something after it is merged than to do so beforehand.

It helps in quickly prioritizing remediation. We have set up GitHub and our pull requests in a way that there are numerous checks that have to be passed. The code that is submitted can't be brought into the codebase until anything flagged is addressed as a test credential, a false positive, or the original branch is corrected. Fortunately, so far, they've all been false positives or test credentials. But it puts a stopping point in the process before it can go live with that information in there.

What is particularly helpful is that having GitGuardian show that the code failed a check enables us to automatically pass the resolution to the author. We don't have to rely on the reviewer to assign it back to him or her. Letting the authors solve their own problems before they get to the reviewer has significantly improved visibility and reduced the remediation time from multiple days to minutes or hours. Given how time-consuming code reviews can be, it saves some of our more scarce resources.

GitGuardian has also helped in bringing the responsibility of remediation to the entire team. Rather than having remediation as a part of the review process, where some of the more senior and experienced developers bring something up, it allows the whole team to handle that process. In the long run, it will encourage the team to think about those sorts of things before even submitting code, based on the responses they see from GitGuardian. It has increased the productivity of the security team by reducing the load on our small team. It puts the burden onto the entire team rather than the security team. Instead of them requesting remediation manually, it is automated as a part of our deployment process. It is definitely saving us hours per incident.

Time to remediation is now in minutes or hours, whereas it used to take days or weeks previously. That's the biggest improvement. Because it is automated and visible to the author, someone from the security team doesn't have to remind them or recheck it. That means the slowdown in the deployment process has definitely been improved by an order of magnitude. There is easily a 30-hour improvement on time to remediation, which is about an 85 percent improvement.

We use it mostly to look for secrets in our repositories so we can inform the developers not to do that.

The recommendation is always get this out of your code. One of the things that they added over the year was the ability to reach out to the developer directly to get feedback. This helps us know if the developer is aware of it or it is actually not a secret. So, we don't have to break out of the app, then go into Slack and ask.

We consider all secrets in the source code a Priority 1. We expect every developer to remediate them as soon as they are notified. We don't have a ranking of what is important. We consider them all Priority 1, getting them done first.

It definitely gets us to catch these secrets earlier, instead of after they have made it into production.

With the new feedback system, it has definitely improved our lives. When my security team gets alarms and we don't immediately know that it is a false positive because it is in the test directory, we have questions sometimes whether it is a secret. We then need to work with them to find out what this thing can actually do. The security team has the ability to immediately reach out to the developer and get feedback via email in a portal, where the developer can see what we see and put comments on it, which has drastically improved our lives. We are a worldwide company so we have engineers in a dozen countries. Sometimes, the engineer who made the bad commit isn't even awake, so sending a Slack message doesn't get a response. This is more pressing, so it helps us.

Every engineer has to use it. As we grow, obviously more engineers will be using it. We will probably be at about 100 engineers by this time next year. I don't think that they have any other features or things that we would grow into on the internal side. 

We brought in GitGuardian Internal Monitoring to review all of our code within GitHub so that we can identify and fix any exposed secrets.

I have been very impressed with the breadth of its detection capabilities. I did a proof of concept with a couple of other common tools for the same kind of thing, and I found GitGuardian to be the best. It finds everything that I would expect it to find. It found more than I thought we would find, so I am very happy with the detection.

I am very happy with the number of specific detectors and keys that it can find for Google, AWS, Twitter, Facebook, etc. It has a lot of specific detectors for different categories, but it also has quite a lot of automatic validity checking, so it can tell whether your Twitter keys or AWS keys are active and or have been revoked. If they are revoked, it is not a problem. Validity checking is fantastic.

GitGuardian Platform's accuracy is incredibly high. There are a couple of categories of generic secrets that I can find. When you turn those on, you end up with quite a few false positives. With the specific detection categories, the false positive rate is incredibly low, but when you turn on the generic categories, it goes up a bit. I am very happy with the number of things that it does find, instead of focusing on true positives versus false positives.

It has not helped to decrease false positives because we did not have a tool in the first place, so we did not have any false positives. We have not decreased our rate at all.

GitGuardian Platform has absolutely helped to quickly prioritize remediation. The severity or criticality that the tool automatically assigns has been very helpful. The built-in validity checking has also been helpful. Whenever you have keys that are marked as valid within the tool, you know that they are high priority and need to be resolved sooner than the ones that are not marked as valid.

We have significantly reduced our potential risk exposure of secrets. In the past nine months, by using GitGuardian, we have been able to identify and resolve a large number of secrets within our code, which reduces the risk if our code were to become public. It has greatly reduced our security risk. It has reduced the potential risk of exposure of secrets by about 75%. We have not only been able to resolve existing issues; we are also more likely to prevent these issues from occurring with improved security culture and the features within the tool.

GitGuardian Platform efficiently supports our shift-left strategy. It provides a command line interface, which can link with the shift left with your standard development processes. Whenever developers are writing code and trying to commit and push that up to GitHub, the command line interface can be integrated into that to prevent secrets from getting into GitHub. It can help go almost as far left as possible.

GitGuardian Platform has greatly improved awareness, and it has reduced the number of secrets that end up in our code. There has been a two-layer impact where it has helped people think about this as an issue and it has also helped them stop doing it even if they are not thinking about it.

GitGuardian Platform has improved our ability to collaborate. We work closely with the development teams to identify the issues, investigate the issues, and troubleshoot and resolve those issues. Due to the way the tool works, it has helped us gather people into teams and work with them so that we can help resolve the findings.

We have one or two of the playbooks automatically enabled. So far, I find them very helpful. The main one so far is that the secrets will automatically resolve when they are revoked, which is incredibly useful. For example, whenever someone goes into the AWS platform to revoke AWS keys, they do not have to go into GitGuardian. It automatically detects that they have been revoked and closes the issue. It is a lot less work than having to go into two different tools and more. There are a couple of playbooks we have for the CLI, so whenever we ignore issues via CLI because something might be a false positive or something might only be a testing key, it will auto-resolve within the UI. The playbooks make it easier to avoid using the UI, but you do not have to. It is one of the catch-22 situations. There is UI, but they are enabling you to not even have to check it in the first place. Playbooks have reduced 50% to 60% of manual work. If developers accidentally commit active keys, they do not have to go in. They do what they need to do to resolve the keys. They do not need to think about it again.

GitGuardian Platform has increased our security team's productivity by about 50%. When we previously had noticed keys, it would have been manual. It would only have been occasionally when I was looking through the code and found the keys. I would have had to reach out to developers and discuss that. It has definitely greatly increased our productivity because we can now automate sending out tickets and assigning them to the right teams. A couple of clicks can send out the information for someone to look into rather than having to message them and try to discuss it with their team. It is a lot more automated.

It is hard to measure the increase in secrets detection rate because previously, we did not have any solution, so we were not detecting anything. After implementing GitGuardian, we can now see what we have got.

Similarly, it is hard to measure the reduction in the mean time to remediation as we did not have something before. It was more manual before. There is probably a 70% reduction because, previously, if I found an issue, I would reach out to our team and spend a while discussing it with them, whereas now, we can just send out a Jira ticket. They can log in and have a look. There is a lot less discussion back and forth.

We procured it as a secrets and code detection solution. We have code bases, some of which are 10-years-old. We needed a way to comb through all of the Git histories to see if any developers had committed secrets to our code in the past as well as catch any new secrets that developers may accidentally commit in the future.

We are using GitGuardian Internal Monitoring.

Without GitGuardian, we wouldn't be doing real-time detection of secrets. It would be something that we did periodically. Maybe quarterly or semi-annually, we would review our code for secrets. This means that the mean time to detection would be much longer. GitGuardian reduces our mean time to detect substantially. In addition, we would be finding out about secrets much further away from the time that they were introduced into the code base. We would be chasing people down to give us information about things that they did weeks or months ago. This would drastically reduce the effectiveness of us being able to triage and remediate the leaked secrets.

We don't have to do a periodic review to see if there are any secrets in our code bases. I would estimate, if we were to do that on a quarterly basis, we would be spending an entire week per quarter on it that we don't have to spend now. Therefore, it saves us a week every quarter in pure effort.

If we did not have GitGuardian, our mean time to detection would be much longer. We would have a substantial amount of risk that a set of credentials or a secret was being used maliciously. Every quarter, there was a security incident that came from the risk of these credentials living in our code bases. That might be another week worth of effort that our security team would have to deal with. Since we are catching things immediately, that risk is inherent in our environment and we don't have to worry about a security incident happening. The chances are much lower. We take a week of pure effort to review secrets that went away. Then, there is a week of dealing with security incidents that come from the secrets living in our code bases.

The solution efficiently supports our shift-left strategy.

We are using GitGuardian Internal Monitoring on our GitHub Enterprise repositories to make sure that our developers are not introducing any secrets into the code. Those secrets could be things like database passwords, connection strings, or AWS credentials. We use it when they commit code to our GitHub internal repositories.

We want to make sure that none of our secrets get committed and GitGuardian is doing a great job identifying them. It has the ability to scan our repositories and identify older commits that have secrets, meaning in code that was committed even four or five years ago, and that has gone unnoticed until we implemented GitGuardian.

Most of our dev teams have a GitGuardian CLI installed on their local machines. Even before a commit gets to GitHub, the CLI identifies secrets within the code and doesn't allow the commit to go ahead. That drastically reduced the number of secrets being committed.

We use Azure DevOps for our CICD and GitGuardian helps support a shift-left strategy. There is all the pipeline-related code that is checked into the repositories and secrets tend to creep into that code, such as RAML files and environment secrets. GitGuardian helps us identify those secrets when they are committed. Not all our dev teams are using GitGuardian's CLI—we are trying to get them to adopt it 100 percent, but we're not there yet—and there are occasions where someone is testing out a pipeline and, by mistake, they don't declare the secrets properly in the code that is being checked into Azure. We get notified and, immediately, the teams work to remove those secrets.

Historically, in our organization, people have been committing AWS secrets, such as access IDs and secret code into our GitHub repositories, because they were testing out something. It could be that they were doing a PoC, and not implementing a full-blown secrets manager where they store and pull the secrets from. After implementing GitGuardian, we were notified of these secrets immediately. And even though they were doing PoCs, we were able to get them revoked immediately, which means removing the secrets from AWS as well as the code and issuing new secrets.

We were also able to help the teams to use AWS Secrets Manager or the Vault to store their secrets. GitGuardian actually provides sample code snippets, which are pretty decent, for pulling secrets from AWS Secrets Manager or Vault.

In addition, the solution has increased our secrets detection rate by almost 100 percent. Pretty much any secret that gets committed is identified and the team is notified. We have almost 100 percent coverage and that is pretty robust.

When it comes to our security team's productivity, because our processes are being monitored by GitGuardian, we don't have to run any scripts or scans or out-of-the-box solutions. We don't worry about secrets being leaked or introduced into our repositories. We rely on the product to keep us aware of our secrets management in our repositories and that enables our security team to focus on other security-related tasks. They don't have to spend a lot of time worrying about how to detect issues and, instead, depend on GitGuardian. They have confidence in the ability of the product to identify the types of secrets that our people are committing. They are definitely being flagged.

Now, we may be spending a couple of hours and a week addressing incidents that come up or addressing the old ones that are still being tracked for remediation. We had around 500 secrets management incidents when we fully implemented GitGuardian. We are now down to 20 or 30, which are old but still need remediation. Those old secrets have been revoked, but they are still sitting in our GitHub history. We need to reach out to GitHub support to get those taken out, replace those repositories, and run garbage collection on them.

And because identification of the secrets being introduced is almost instant, the pull request doesn't go through, and Slack alerts are immediately sent out. As a result, the mean time to remediation is within a day, if not even sooner. These secrets are mainly dummy secrets that people are using for testing code. But we don't want even those to be introduced. The idea is to have teams use secrets management services like AWS Secrets Manager or Vault from the get-go. We are close to 90 percent utilization of AWS Secrets Manager or Vault to store secrets because of GitGuardian Internal Monitoring.

Our main use case is operational security. We have a big IT platform. A lot of it is built in-house. We are not a focused IT company. We are a retailer. We have a lot of developers with a lot of different levels and projects. For example, with fashion brands, it is just, "Oh, we want to do this new app," and then they put it on our GitHub. Suddenly, we see all kinds of API keys and secrets in there. This solution is very useful for us because GitGuardian lets us know about them, then we can take care of it.

It is on the cloud. We gave GitGuardian access to our organization and codebase. It just scans it on an ongoing basis.

Since using GitGuardian Internal Monitoring, we have found potentially enterprise-destroying secrets in our GitHub. For example, if our Git got compromised or we had a rogue employee, they could get a lot of business-critical data, disrupt the business, or put us at very high risk. More or less, we are now somewhat protected against that. Now, we are at a stage where we are just keeping an eye on it. As soon as a developer pushes something or does something, we get informed and act on it. The exposure time is very small. Before GitGuardian, we had secrets for years that we did not know about.

As soon as a new secret is detected, we get an email. We look at it, then contact the developers. It is a very fast process. For example, if it is my code and I pushed it, that is the fastest scenario. It is my problem. GitGuardian finds it, then I can fix it myself. I don't have to call another team, talk to them, etc. It could be within a minute that it is remediated.

We monitor our GitHub repositories for security violations and secrets. We have our organization on github.com for infrastructure as code and our use case is to find security violations as soon as possible. When development uses active tokens or passwords on github.com, we need to immediately escalate things to the right person, so they will be removed.

We started with public monitoring and switched to internal.

We have not tracked whether there has been a decrease in false positives, but GitGuardian has helped us to keep input clean, as much as possible, for infrastructure. 

It also gives us more visibility and helps to create awareness about security in our code.

Another benefit is that the speed of remediation has been significantly improved because we get notification immediately, as issues are detected, very close to the check-in time. We are then able to assign them to the responsible party for correction, according to our SLA.

There are times where it finds issues every two days, but of course, some of them are false positives. But our data for October, 2021 shows a 48 percent decrease in incidents from previous months, and that's a very good sign that development is reading our reports.

GitGuardian also efficiently supports our shift-left strategy. It gives us the ability to provide more information, and earlier, to development. That means when the time comes for releases, the code is clean from a security standpoint.

Using the solution, we have also seen an increase in the secrets-detection rate. We didn't have a previous solution, so in that sense, when we started to use it, the increase was 100 percent. For infrastructure as code, the increase is significant. Compared to the previous year, the dashboard shows it is 73 percent.